|
Win95.Smash.1026 Viruses Information
| Name: |
Win95.Smash.1026 |
| Category: |
Viruses |
| Description:
|
Details
Win95.Smash.10262
This is a memory resident parasitic Windows 9x virus about 10K of length. The virus uses Win9x specific functions (VxD calls) and is not able to spread under Windows NT.
The virus affects PE EXE files by writing to the end of the file. The virus pays no attention to file name extension, and as a result it infects any Windows PE file - executable files, DLL libraries, SCR screen-savers, etc.
Payload
The virus has a very dangerous payload routine that is activated on July 14th - the virus overwrites the C:IO.SYS file with a trojan code and displays the message:
Virus Warning!
Your computer has been infected by virus.
Virus name is 'SMASH', project D version 0x0A.
Created and compiled by Domitor.
Seems like your bad dream comes trueall
The virus then reboots the computer. While rebooting the affected IO.SYS file is loaded and executed, trojan code takes control, displays the text "Formating hard disk..." and then erases data on the first hard drive.
Infection
To make detection and disinfecting of infected files more difficult, the virus uses a polymorphic engine that hides the virus code by using a mutating decryption loop.
The virus also uses a "blocks-mixing" structure (a similar method was used in the DOS virus "Badboy"). The virus code and data are divided into about 60 blocks (installation, infection, payload routines, etc.). When the virus infects the next file, it mixes these blocks in a random order and links them with a special table. As a result, the virus structure is different in each file infected.
File 1 File 2
+-----+ -----> +-----+
¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦
+-----¦ ---+ +-----¦
+-----¦ +-¦-> ¦¦¦¦¦¦¦
¦¦¦¦¦¦¦ -+ +-> +-----¦
+-----¦ +-----¦
¦¦¦¦¦¦¦ ---+ ¦ ¦
¦¦¦¦¦¦¦ +-¦-> ...
+-----¦ ¦ ¦ +-----¦
... ¦ +-> ¦¦¦¦¦¦¦
¦ ¦ -+ ¦¦¦¦¦¦¦
+-----+ +-----+
When the virus code is prepared for writing to a victim file (blocks are mixed, encrypted and "covered" by a polymorphic "envelope"), the virus creates a new section at the end of the file, to which it writes its code and changes necessary fields in the PE header (including the program's start-up address field in order to gain control at the moment an infected file is executed). The name of the virus section in the file is randomly generated.
Memory residence and stealth functions
The virus installs itself into the Windows memory and stays resident until the Windows session ends. To do this, the virus uses a programming trick to switch its process from application to kernel mode (Ring3 -> Ring0). Then it allocates a block of kernel memory, hooks into the file search, accesses Windows kernel functions (IFS API) and stays in Windows memory as a VxD driver.
When disk files are being searched or opened, the virus' hooker takes control and runs its infection and stealth routines. The stealth routine makes it very difficult to detect a virus when it is active. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Kupps.21
Macro.Word97.Arg
Trojan.AOL.Buddy.
Sibyll
Tchechen Famil
Fricker.39
UFO.146
Patoruzu Famil
Win32.HLLW.Nuloc
IRC-Worm.Mabra.
|
